fostel@ncsu.UUCP (06/21/83)
Someone suggested the REAL problem was what happens after a villian has broken thru. Probably true. Sadly if they are a clever villian you are in deep trouble. A few things will thwart novice villians. (Wow three misspellings in a row!). 1) In the crontab, put a late night find over the entire file system to look for: progs setuid to root, or setgid to administrative groups files which are strangely comparable to things like "rogue" in size Fortunately, if the find is run as SU, it will look in dirs that start with a "." -- a common hiding place. A SU ls will too. 2) As part of you "backup" proceedures, you might want to copy in fresh material for the sources and executables for all programs. This will foil bastardized copies of "passwd" or other booby-traps. 3) Check the search path, login profiles and other default action files (.mailrc ...) to see that there are no tricks installed there. This is only needed for privaledged users. Check / also as that is often the home directory for root and some shells will look here for profiles and such. Check the personal bins or other bins on you search dir, or prefereably don't search other peoples dirs. 4) Check protections on crucial files and directories. You'll need to use the -d and -g switches. Classic is / not protected: how often do you try "ls -ld /"? And so on into the night. It is possible to automate a lot of this to be done periodically. Be sure to check, by hand, that no one has touched up you checker deamon to no longer check something it used to. If you want to play with the kernel, a military trick is to not allow SU except on certain terminals, like the one locked in your office. Certainly NOT on dial-ups. Another Military trick is to put code to check whenever /etc/passwd is opened that there is indeed only the expected number of processes: shell and passwd. This foils the "prog that prints login: and then waits" trick. Oh this is so much fun! But seriously, making a UNIX secure is VERY HARD WORK! And I presume the tapes you refresh the sources and utilities from are kept in a locked vault to prevent forgeries...... ARRRRRRGGHHHHHHH! ----GaryFostel----